Category Archives: Enterprise Risk Management

Immediate Vault Immediate Byte

Zombie Risk Management 101

Posted on by

An emerging risk over the past 10 years has been the rise of undead walkers, or “zombies” and their influence on supply chains, natural resources and mortality rates.

These once-alive individuals thrive on human flesh and spread deadly diseases; their exploits have been well documented in California and Georgia for years on basic cable television.

Renegade armies have made significant gains in controlling the risks of these attacks and uprisings using makeshift weapons, but sadly, the supply chain is limited due to an outbreak that has been wiping out Americans.

To avoid these risks, on Halloween, encourage employees to travel in pairs in case the undead appear out of the shadows, as they often do. Their bites are infectious and pose the risk of death or even worse—you could become one of them.

Should you sustain a bite, consider whether you will want to:

  • “Live on” and become a flesh-eater
  • Be placed under special quarantine
  • Be terminated on-the-spot to prevent future outbreaks and harm

As previously reported in Risk Management magazine, when considering risk management techniques for zombie encounters, such as fight or flee, it pays to plan ahead: Consider objects around you that could be used as weapons, wear shoes that can accommodate speed if fleeing is necessary and always be aware of your surroundings.

The undead do not need oxygen or blood to function, as detailed in the Zombie Survival Guide. They can thrive on land and even under water, so be sure to account for both scenarios when designing your contingency plans.

If you are preparing to defend yourself or your company, it’s suggested you use a long blade or propulsion weapon and be sure to aim for the head.

It is commonly believed that once its brain is pierced, a zombie should perish for good. Visit the CDC’s Zombie Preparedness page for more survival techniques and tips on how to best handle an encounter with the undead.

Protecting Your Company from Rogue Employees

Posted on by

While employee malfeasance rarely takes down entire companies, it can result in serious fines, sanctions, court judgments, settlements and reputational damage. Big data analytics is one way leading companies are able to mitigate risk, by proactively detecting threatening or illegal behavior.

Traditional ERM Approaches Won’t Do

Compliance officers do their best. They generally work within enterprise risk management (ERM) frameworks to introduce corporate policies and procedures, conduct risk avoidance training and audits, and create inter-disciplinary committees. They work with IT to run compliance auditing software on critical structured data, including financial databases and transactional applications.

By targeting only well-behaved structured data, however, compliance officers can lose sight of one key fact—structured data is a small percentage of organizational data. Data storage analysts report that most organizational data are only 15% to 20% structured data and 80% to 85% unstructured.

buy cipro online www.urologicalcare.com/wp-content/uploads/2023/10/jpg/cipro.html no prescription pharmacy

This leaves a huge volume of data that presents serious compliance risk to IP, especially electronic communications.

While e-mail, instant messaging, texting and social media are ingrained in our culture, traditional auditing software does not focus on communications. These threats often evade notice until the damage is done.

Here are some ways threats can escape the radar of employers that have traditional ERM approaches:

  • Limited ability to analyze unstructured data. The inability to monitor unstructured data leaves the company open to regulatory consequences and other risk.
  • Keyword searching to winnow down data sets often delivers a high volume of false positive results. Filtering techniques such as keyword searches may not be highly accurate and require intensive manual review.
    buy ciprodex online www.urologicalcare.com/wp-content/uploads/2023/10/jpg/ciprodex.html no prescription pharmacy

    The result is higher cost and longer timeframes for manual-review projects.

    buy paxil online www.urologicalcare.com/wp-content/uploads/2023/10/jpg/paxil.html no prescription pharmacy

  • Potential security issues. Communication platforms are rapidly proliferating. Employees might be sharing inappropriate corporate information on social media, yet these mentions often go unmonitored by the company, potentially missing evidence of employee misconduct.
  • Complex regulatory changes. Many governmental and industry regulations are already complicated, and their revisions only intensify complexity. For example, since introducing Dodd-Frank, regulators have written 224 of 400 expected rules and continue to modify existing rules.
  • Case-by-case approaches. Case-centric approaches to litigation, investigations and regulatory compliance matters impede applying learning and attorney work product on these cases to other matters. This inability lengthens legal reviews and investigations and multiplies costs. Case-based discovery also makes it difficult to discover widespread risky communications between employee groups and outside organizations.
  • Geographic and organizational silos. Relevant data is spread across different storage locations and eDiscovery platforms, creating distinct data silos.

A Cautionary Tale

Here is an example of risk that can go undetected until it’s too late, as it did at Wells Fargo. Banker 1 is responsible for reaching high quarterly sales goals. His manager increases his sales goals for the next quarter. Banker 1 emails a colleague complaining about how his goals are impossible to meet. Banker 2 suggests he try a creative process called “pinning,” which consists of a banker enrolling an actual customer in online banking to create a “sale.” The banker fills in the customer’s name and address but puts in a fake email address so the customer never receives banking communications. The banker meets his sales goals—and hopes the customer never finds out.

How Big Data Analytics Can Help

Analytics tools are already omnipresent in eDiscovery and compliance reviews. They include predictive coding, email threading and concept searching. They are highly useful for culling large data volumes to more manageable sizes. They also locate meaningful text and concept patterns so that reviewers can strategically work with high priority documents.

The catch is that these analytics can only filter to a point, and only work on a single-case basis. No matter how the case management software learns from tagging and work product, that learning cannot be applied across multiple matters if it resides on different review platforms or with different vendors. Each time a new case begins, reviewers and their software must start over. This leads to very long and repetitive document review processes, already the single most expensive activity in eDiscovery. Clients and attorneys also risk exposing sensitive information as the matter makes its way between document review platforms and multiple stakeholders.

A big data approach, versus specific analytics tools can continuously consolidate billions of documents into a central repository. It can also apply machine and human learning to enable the reporting of trends, new data relationships, and fresh insights into data across all cases—not just a single matter—for greater efficiency, cost control and risk mitigation.

RIMS Membership Has a Say in COSO’s New ERM Framework

Posted on by

When Risk & Insurance Management Society (RIMS) members use the new ERM framework published Sept. 6 by the Committee of Sponsoring Organizations of theTreadway Commission (COSO), they may recognize their own ideas prominently displayed. Carol Fox, RIMS vice president of strategic initiatives announced the call for public comment on Risk Management Monitor in June 2016. She said feedback from the industry, and particularly RIMS members, is reflected in COSO’s ERM Framework: Integrating with Strategy and Performance.

“RIMS members took advantage of the unique opportunity to influence one of the industry’s major guidance documents. For several weeks, members collaborated and drafted a response, which was publicly available through the end of last year,” said Fox, who participated on the project’s advisory council. “We were very appreciative that COSO reached out to RIMS and other professional associations, whose input strengthened the content, ideas and approaches featured in Integrating with Strategy and Performance.

A summary of the public comment feedback includes:

  • More than 200 responses–double that of the internal control update
  • Over 70% of responses from individuals
  • Over 50% of participation outside of North America
  • Almost 50% had affiliations beyond COSO memberships
  • Almost 50% of respondents had 10 or more years of risk management experience
  • Positive ratings outnumbered negative ratings by 4.5 to 1

The new publication serves as an update to 2004’s Enterprise Risk Management – Integrated Framework, which is internationally regarded as the standard for applied risk management frameworks. Developed by PwC under the direction of the COSO Board, its simple, five-component structure considers various viewpoints and operating structures while highlighting the importance of enterprise risk management in strategic planning. It also emphasizes embedding ERM throughout an organization, as risk influences strategy and performance throughout the organization.

“The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting,” said COSO Chair Robert B. Hirth Jr. “Our overall goal is to continue to encourage a risk-conscious culture.”

Enterprise Risk Management: Integrating with Strategy and Performance is available in printed form, e-book, on-line subscription and pdf licensing for large organizations, accounting and consulting firms. Additionally, COSO is planning for the framework to be translated into several languages, including Chinese, Japanese, Spanish and French.

Visit www.coso.org for purchase information and for a link to the framework’s executive summary.

Corporate Culture and Risk Management

Posted on by

According to an April New York Times article, “Uber’s core company values included making bold bets, being “obsessed” with the customer, and to “always be hustling.” The company emphasized meritocracy, setting employees up as rivals and overlooking transgressions of its high performers.

buy cenforce online pelmeds.com/wp-content/uploads/2023/10/jpg/cenforce.html no prescription pharmacy

At its worst, Uber maintained an “unrestrained culture” that has since resulted in several allegations of harassment. A published blog post by engineer Susan Fowler, indicated that “the culture was stoked—and even fostered—by those at the top of the company.”

Adoption of a strong risk culture
An effective risk culture is not a matter of risk assessment or level of compliance; it is a matter of “conviction” – a corporate state of mind where human beings can take well-informed risk decisions because they want to, not because they have to.—@RiskCultureBuilder on Twitter

The “tone at the top” describes the climate and overall philosophy set by the board of directors and executive team to drive the culture and behaviors of all employees. In companies ranging from Uber to small businesses, this tone permeates the enterprise in a number of ways, including executive communications and onboarding and learning programs, as well as the policies and procedures designed to empower and/or control employee decision-making. The right tone stresses a high standard of ethics and a culture of compliance, but should be balanced with a message that empowers managers to take risks—appropriately—in the pursuit of short- and long-term rewards for the business.

buy renova online pelmeds.com/wp-content/uploads/2023/10/jpg/renova.html no prescription pharmacy

Translating the tone into a strong risk culture requires reinforcement to employees defining how their decisions and actions affect the broader mission of the company.
buy azithromycin online https://galenapharm.com/pharmacy/azithromycin.html no prescription

 Then, through change management and strong accountability, culture and risk management can be aligned to keep everyone “rowing in the same direction.”

Drivers of risk culture
Many companies today have defined a “culture statement,” put it down on paper, and socialized it to employees. This is only the first step in driving employees to make the right risk management decisions, however. Consider a few of the levers that companies can pull to drive behaviors towards a stronger risk culture:

  • Performance management and compensation – Are corporate and employee goals tied to desired risk management outcomes?
  • Corporate governance – From the board of directors down, are enough questions being asked? Is there too much reliance on historical data?
    buy oseltamivir online pelmeds.com/wp-content/uploads/2023/10/jpg/oseltamivir.html no prescription pharmacy

  • Management reporting – Is attention to certain metrics—often short-term in nature—driving decisions that could cannibalize long-term outcomes?
  • Investor Relations – Are reasonable expectations being set with a company’s shareholders when it comes to risk versus reward?

While company leaders can help drive the desired corporate culture, this alone will not guarantee good risk management decisions every day. All employees must be taught risk management techniques, and relevant risk management skills should be built into the company’s overarching competency model. A risk culture that positions employees as an integral part of risk management will drive more successful and predictable business outcomes.

During his keynote presentation at the 2016 TMG Executive Summit, cybersecurity expert Brian Krebs reinforced this point when referring to the risk culture needed to deal with cyber risk: “…layers of technology are not enough to stop a data breach…security is only as effective as the people managing it.” Although achieving a strong risk culture is no small undertaking, the benefits will be significant as more and more risks are mitigated before impact.